[resend to linux-crypto] Hi, the following patches fix timing leaks which are introduced by using (non-constant time) memcmp() to verify cryptograhic authentication tags. Specifically, the AES-GCM and AES-CCM implementations in the IBM Power in-Nest Crypto acceleration driver and the AEAD decryption function in the Freescale SEC (talitos) driver are vulnerable to this kind of attack. These timing leaks can be used by an attacker to find the correct authentication tag value for arbitrary messages with far less effort than brute-force testing all 2^n possible values for a n-bit tag. The fix is rather simple: Use crypto_memneq() as the generic implementations in crypto/* already do. Kind regards, David David Gstir (2): crypto: nx - Fix timing leak in GCM and CCM decryption crypto: talitos - Fix timing leak in ESP ICV verification drivers/crypto/nx/nx-aes-ccm.c | 2 +- drivers/crypto/nx/nx-aes-gcm.c | 3 ++- drivers/crypto/talitos.c | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
